BSc Cyber Crime

CP6HK61E (HKIT)
Assignment

Cybercrime, Security Controls, and Legal Frameworks

NAME: Mak Kin Yun Riva

STUDENT ID: 12360048(HKIT)
33115604(UWL)
LECTURER: RUSSELL LO
DATE: 30th December 2023

1
 Contents
1. INTRODUCTION............................................................................................................3
2. Identify about 3 – 5 recent cybercrimes/cyberattacks case studies or scenarios
online.........................................................................................................................................4
Add the rest of the questions
3. CONCLUSION.................................................................................................................7
4. REFERENCES..................................................................................................................9

2
 INTRODUCTION
Cybercrime refers to criminal activities carried out in cyberspace,
encompassing a wide range of illegal actions such as hacking, identity theft,
online fraud,
Cybercrime poses a tremendous challenge not only to individuals but also to
organizations, governments, and society at large.

Identify about 3 – 5 recent cybercrimes/cyberattacks case studies or

scenarios online
2.1 Case 1: SolarWinds Attack (2020)

3
 2.1.1 SolarWinds Attack (2020) Incident and Impact
SolarWinds Attack (2020): In this attack, hackers gained access to the software
supply chain of SolarWinds, a leading IT management software provider. They
inserted malicious code into software updates, which were then distributed to
thousands of organizations, including government agencies and Fortune 500
companies. The impact of this attack was widespread, compromising sensitive
data and potentially allowing hackers to infiltrate networks undetected.
2.1.2 Q2．SolarWinds Attack (2020) Primary Motives of Cybercrimals
 Espionage and Cyber Espionage: The primary motive behind the
SolarWinds attack was espionage. By compromising the software
supply chain, the attackers gained access to the networks of numerous
organizations.
1.Technological Sophistication: The attackers demonstrated a high level of
technological sophistication by compromising the software supply
chain.
2.National Security Implications: The attack underscores how technology,
when abused, can have profound implications for national security.
3.Global Reach of Cyber Threats: The SolarWinds incident had a global
reach, impacting organizations and governments worldwide.
4. Abuse of Trust in the Supply Chain: The attackers exploited the trust
placed in the software supply chain.
2.1.3 Q3 Attack Method in the SolarWinds Supply Chain Attack:
SolarWinds Attack aligns with the kill chain model:

a. Reconnaissance: The attackers likely conducted extensive reconnaissance

to gather information about SolarWinds and its customers' networks and
systems.

b. Weaponization: The attackers weaponized their malware by inserting a

backdoor into the SolarWinds Orion software.

c. Delivery: The weaponized malware was then delivered to SolarWinds'

software build process through a compromised software development
environment.

d. Exploitation: Once the compromised software was distributed,

organizations unknowingly installed the backdoored version of SolarWinds
Orion on their systems. The attackers took advantage of this to gain access to
the victim networks.

4
 e. Installation: After successfully exploiting the compromised software, the
attackers installed additional tools and performed other activities to
establish persistence within the victim networks.

f. Command and Control (C2): The attackers established a command and

control infrastructure to remotely manage the compromised systems.

g. Actions on Objectives: The ultimate objective of the SolarWinds Attack was

to gain unauthorized access to sensitive data and conduct espionage
activities.

STIX can be applied to the SolarWinds Attack:

a. Indicators of Compromise (IoCs): STIX allows the description and exchange
of IoCs associated with the SolarWinds Attack. such as file hashes, IP
addresses, domain names, and other artifacts relevant to the attack.
b. TTPs (Tactics, Techniques, and Procedures): STIX provides a framework to
document the specific tactics, techniques, and procedures employed by the
attackers in the SolarWinds Attack.
c. Threat Actors: STIX facilitates the description of the threat actors involved in
the SolarWinds Attack. This includes information about their motivations,
capabilities, and any known attribution details.
d. Mitigation Recommendations: STIX can include recommended mitigation
strategies and countermeasures to defend against or respond to the SolarWinds
Attack.
2.1.4 Q4 Security Policies and Controls
1.Software Supply Chain Security Policies:
o Supplier Security Assessments: Conduct thorough security
assessments of third-party suppliers and partners, especially those
involved in the software supply chain.
2.Access Control Policies:
o Multi-Factor Authentication (MFA): Enforce MFA to add an extra
layer of authentication, reducing the risk of unauthorized access.
3.Network Security Controls:
o Firewalls and Whitelisting: Configure firewalls to restrict incoming
and outgoing traffic based on established policies.
4.Endpoint Security Measures:

5
 oPatch Management: Maintain a rigorous patch management
process to promptly apply security patches and updates to
operating systems, applications, and third-party software.
5.Incident Response and Forensics:
o Incident Response Plan: Develop and regularly update an incident
response plan that outlines the steps to be taken in the event of a
security incident.
6.User Awareness and Training:
o Security Awareness Programs: Conduct regular security
awareness training for employees to educate them about phishing
attacks, social engineering tactics, and the importance of adhering
to security policies.
7.Continuous Monitoring and Threat Intelligence:
o Continuous Monitoring: Implement continuous monitoring of
systems and networks for unusual activities.
8.Regular Security Audits and Assessments:
o Penetration Testing: Conduct regular penetration testing to
simulate real-world attacks and identify vulnerabilities in systems
and networks.
2.1.5 Q5 Security Standard, Legal Framework and Challenges
Security Standards:
 ISO 27001: Provides a framework for establishing, implementing,
maintaining, and continually improving an information security
management system.

 NIST Cybersecurity Framework: Offers guidelines for organizations to

manage and reduce cybersecurity risk.
Legal Frameworks:
 Computer Fraud and Abuse Act (CFAA): U.S. legislation that addresses
computer-related crimes and establishes legal consequences for
cybercrimes.
Challenges:
 International Cooperation: Coordinating efforts across borders can be
challenging due to differing laws and interests.

 Diplomatic Considerations: Cyber incidents can strain diplomatic

relations between nations.

 Legislation: The need for updated and adaptable legislation to address

evolving cyber threats.

6
  Privacy vs. Security: Balancing individual privacy rights with the need for
robust cybersecurity measures is a complex political and legal issue.

References:
https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-
cyberattack-the-untold-story-of-the-solarwinds-hack

Case 2: Colonial Pipeline Ransomware Attack (2021)

2.2.1 Q1 Colonial Pipeline Ransomware Attack (2021) Incident and Impact
In May 2021, the Colonial Pipeline, a critical fuel pipeline system in the United
States, experienced a major ransomware attack. DarkSide, a Russian-based
cybercriminal group, was responsible for the attack. DarkSide targeted Colonial
Pipeline's computer systems, encrypting crucial data and demanding a ransom
payment in cryptocurrency for the decryption key. This attack led to the

7
 shutdown of a significant portion of the pipeline, disrupting the distribution of
gasoline, diesel, and jet fuel along the East Coast of the United States.
2.2.2 Colonial Pipeline Ransomware Attack (2021) Primary Motives of
Cybercrimals
the Colonial Pipeline attack by examining the motives of the cybercriminals
(financial gain), their modus operandi (ransomware), and the impact of the
attack on society.
2.2.3 Q3 Colonial Pipeline Ransomware Attack (2021) Attack Method
Pattern:
Spear-Phishing: DarkSide likely initiated the attack by sending spear-phishing
emails to employees within Colonial Pipeline.
Tactics:
• Initial Access: The attackers gained initial access to Colonial Pipeline's
network through the successful phishing attempt.
• Lateral Movement: After gaining initial access, DarkSide employed
tactics to move laterally through the network.
• Data Encryption: One of the primary tactics used in this attack was the
encryption of data. DarkSide deployed ransomware within Colonial Pipeline's
network, encrypting critical files and data, making them inaccessible to the
organization.
Techniques:
• Ransomware Variant: The specific ransomware variant used by DarkSide
in this attack is known as "DarkSide Ransomware.
• Double Extortion: DarkSide is known for its "double extortion"
technique. They not only encrypt the victim's data but also exfiltrate sensitive
information before encryption.
Procedures:
• Ransom Demand: After encrypting Colonial Pipeline's data, DarkSide
demanded a ransom payment in Bitcoin, reportedly amounting to millions of
dollars.

8
 2.2.4 Q4 Colonial Pipeline Ransomware Attack (2021)Security Policies and
Controls
Email Security Policies and Controls:
• Email Filtering: Implement robust email filtering and scanning to detect
and block phishing emails and malicious attachments.
Access Control Policies and Controls:
• Least Privilege Principle: Enforce the principle of least privilege to
restrict users' access to only the resources necessary for their roles.
Patch Management Policies and Controls:
• Vulnerability Scanning: Use vulnerability scanning tools to identify and
prioritize patches for critical vulnerabilities.
Network Security:
• Control: Utilize firewalls to restrict unnecessary inbound and outbound
traffic, segment networks to limit lateral movement, and deploy intrusion
detection and prevention systems to detect and block malicious activities.
2.2.5 Q5 Colonial Pipeline Ransomware Attack (2021)Security Standard, Legal
Framework and Challenges
Security Standards:
1. NIST Cybersecurity Framework: Developed by the National Institute of
Standards and Technology (NIST) in the United States, this framework
offers guidelines for improving cybersecurity risk management,
emphasizing proactive measures.
2. HIPAA (Health Insurance Portability and Accountability Act): HIPAA sets
security standards for the healthcare industry, safeguarding patient
data. Compliance requires specific security measures and breach
reporting procedures.
Legal Frameworks:
1. EU Directive on Attacks Against Information Systems: This European
Union directive addresses attacks against information systems and sets
out penalties for unauthorized access, interference, and system damage.
2. Cybersecurity Information Sharing Acts (CISA): In the U.S., CISA
legislation encourages the sharing of cybersecurity threat information

9
 between private sector entities and government agencies to enhance
cybersecurity.
3. Data Breach Notification Laws: Many countries and states have
implemented data breach notification laws, requiring organizations to
report security breaches and notify affected individuals promptly.
Challenges:
1. Global Jurisdiction: Cybercrimes often transcend national borders,
making it challenging to prosecute cybercriminals. Legal harmonization
and international cooperation are essential but complex.
2. Cyber Attribution: Attributing cyberattacks to specific individuals or
entities can be complex, as attackers often hide behind anonymizing
tools or operate from countries with weak cybersecurity laws.
3. Economic Consequences: The attack resulted in fuel shortages, price
increases, and supply chain disruptions, impacting various industries.

References:
https://www.axios.com/2023/05/08/colonial-pipeline-ransomware-attacks-
unexpected-legacy
Case Study 3: NHS Ransomware 2017
Q1 NHS Ransomware 2017 Incident and Impact
In May 2017, the National Health Service (NHS) in the United Kingdom was hit
by a large-scale ransomware attack. The attack, known as WannaCry, affected
over 200,000 computers in at least 150 countries, with the NHS being one of
the most impacted organizations. The attack exploited a vulnerability in the
Windows operating system to spread rapidly across networks.
The impact of the NHS ransomware attack was significant. Many hospitals and
clinics were unable to access patient records, resulting in canceled
appointments and delayed treatments. Emergency departments had to divert
patients to other hospitals, and some non-emergency surgeries had to be
postponed. This attack highlighted the vulnerabilities in the healthcare sector's
IT systems and the potential risks to patient safety.
NHS Ransomware 2017 Primary Motives of Cybercrimals
The primary motive of the cybercriminals behind the NHS ransomware attack
was financial gain. Ransomware attacks involve encrypting files on a victim's
computer and demanding a ransom payment in exchange for the decryption
10
 key. In the case of WannaCry, the attackers demanded payment in Bitcoin. By
targeting a large organization like the NHS, the cybercriminals aimed to
maximize their potential payout.
Two Attack Method Used in the NHS Ransomware Attack:
Attack 1:

The first attack began on May 12, 2017, when a strain of ransomware called
WannaCry, also known as WannaCrypt, infected the NHS computer systems. It
initially spread through a worm-like mechanism by exploiting a vulnerability in
the Windows operating system, known as EternalBlue, which was developed by
the US National Security Agency (NSA) but leaked by a hacker group called
the Shadow Brokers.
Encryption of files: Once the ransomware infected a computer, it started
encrypting files, rendering them inaccessible to the users. The victims were then
prompted to pay a ransom in Bitcoin to obtain the decryption key needed to
unlock their files.
Rapid spread: WannaCry had the ability to spread quickly within networks by
exploiting vulnerabilities in the Windows operating system. It could scan for
and infect other vulnerable computers connected to the infected network,
leading to a widespread impact within the NHS.

Attack 2:

Phishing email: The second attack occurred on June 27, 2017, when another
ransomware variant called Petya, or NotPetya, infiltrated the NHS systems. This
attack started with a phishing email, designed to trick users into opening a
malicious attachment or clicking on a malicious link.
Malware execution: Once a user fell victim to the phishing email, malware was
executed on their computer. This malware exploited a vulnerability in the
Windows operating system, known as EternalBlue (the same vulnerability
exploited by WannaCry).
Spreading internally: Once infecting a single computer, the Petya ransomware
variant had the ability to spread internally within the network using various

11
 methods, including harvesting credentials and exploiting vulnerabilities. This
allowed it to propagate quickly through interconnected systems within the NHS.

Security Policies and Controls to Secure Systems from Similar Attacks:

To secure systems from similar attacks, organizations should implement the

following security policies and controls:
Regular software updates and patch management to address vulnerabilities.
Strong endpoint protection, including antivirus and anti-malware software.
Employee cybersecurity training to raise awareness about phishing emails and
suspicious attachments.
Regular data backups to ensure quick recovery in case of a ransomware attack.
Network segmentation to limit the lateral movement of malware.

Q5. Briefly discuss the security standards and Legal frameworks and
challenges that are relevant to your work.

The NHS is subject to various security standards and legal frameworks, such as
the General Data Protection Regulation (GDPR) and the Cyber Essentials
scheme. These standards outline requirements for protecting personal data,
implementing appropriate technical and organizational measures, and
conducting regular security assessments. Failure to comply with these standards
can result in fines and reputational damage.
The legal framework relevant to the NHS ransomware attack includes the
Computer Misuse Act 1990, which criminalizes unauthorized access to
computer systems and the intentional spreading of malware. Perpetrators of
such attacks can face imprisonment and financial penalties.

References:

12
 https://searchsecurity.techtarget.com/definition/WannaCry-ransomware
https://www.bbc.com/news/technology-39896393

Conclusion:
In conclusion, These three cases collectively illustrate the necessity for
organizations and governments to continuously enhance their cybersecurity
practices. Strengthening security measures, investing in threat detection and
response capabilities, and promoting collaboration and information sharing
within and between sectors are vital steps in safeguarding against future cyber
threats. It is crucial for businesses and organizations to prioritize cybersecurity
as an ongoing and ever-evolving effort to ensure the protection of digital assets,
critical infrastructure, and the privacy and safety of individuals.

13